Scaling security governance using AWS SRA with Snowflake
Snowflake aligned its AWS Organizations resources with the AWS SRA to reduce the scope of impact and automate security.
Benefits
more SCP coverage through account isolation
standard for M&A account onboarding
Overview
Trust and security are foundational to Snowflake Inc. (Snowflake), an AI data cloud company. Protecting sensitive data extends beyond customer workloads to Snowflake’s internal environment. As the company expanded, it needed an architectural design that could scale governance without increasing risk. So, Snowflake modernized its enterprise network on Amazon Web Services (AWS).
The company had used AWS Organizations for central governance and consistent management of its AWS resources. And it aligned these resources with the AWS Security Reference Architecture (AWS SRA), a holistic set of guidelines for deploying AWS security services in a multi-account environment. Moving from a centralized model to an isolated multi-account architecture, Snowflake could use accounts as logical containers to limit the scope of impact.
By embedding expanded service control policy (SCP) coverage and event-based security automations, the company reduced mean time to respond (MTTR) for its virtual network security boundaries from hours to seconds. This shift helped Snowflake establish a hardened foundation for its all-cloud enterprise and automate self-healing for boundary violations.
About Snowflake Inc.
Snowflake Inc. provides a platform that helps enterprises innovate faster and get more value from data. Some of the world’s largest companies use Snowflake’s AI Data Cloud to build, use, and share data, applications, and AI.
Opportunity | Modernizing an enterprise network on AWS for Snowflake
As Snowflake scaled its business, its internal enterprise environment expanded to support teams and applications across regions. Because the company handles highly sensitive data, it designs its internal systems with strict security and reliability requirements.
Over time, many internal workloads shared a small number of AWS accounts connected through a centralized network hub. Although this supported initial growth, it made it harder to understand expected behavior or assess the impact of changes across shared resources. Managing a logical scope of impact was complex, and establishing consistent baselines for monitoring and access across shared infrastructure became difficult. “We had a lot of different things in only a few accounts,” says Brad Williams, cloud security engineer at Snowflake. “When you have shared services and multiple workloads in a few accounts, it becomes difficult to understand what’s expected and what isn’t.”
Snowflake recognized that continuing to scale this model could introduce operational challenges. The company needed a design that could support growth while reinforcing security into the architecture, prompting a shift toward isolation, clear ownership, and hardened security boundaries on AWS.
Solution | Scaling governance by using the AWS SRA
Snowflake redesigned its enterprise network around AWS accounts as the logical container for the scope of impact. Assigning a clear purpose to each account, the company made ownership and expected behavior easier to define and verify.
To validate design decisions, Snowflake aligned its architecture with the AWS SRA. This alignment helps Snowflake use an organizational-unit structure that supports consistent governance and one-standard onboarding for accounts that the company gains through mergers and acquisitions (M&A). As a result, Snowflake can integrate new workloads without impacting existing operations.
AWS Transit Gateway connects AWS accounts to a single gateway through a hub-and-spoke model, serving as the centralized network backbone. Using AWS SCPs, Snowflake enforces preventive controls that block unsafe actions before they occur. The company migrated its organization-wide shared services into isolated accounts, expanding SCP coverage to more services than the original design allowed.
Snowflake also established a dedicated security account to monitor and initiate event-based security automations. These automations are designed to self-heal virtual network security boundaries the moment that a violation is detected. “The old model relied on people and process,” says Gaurav Singodia, senior cloud manager at Snowflake. “The new model enforces guardrails that make out-of-policy actions highly unlikely.” By embedding these automated guardrails directly into the environment, the company established a foundation that supports an all-cloud enterprise at scale.
Outcome | Hardening boundaries and automating response at scale
The new architecture changed how Snowflake’s teams operate day-to-day. Isolating shared services into dedicated accounts made it simpler to understand normal activity, manage access, and identify deviations. The most significant impact was seen in the speed of response. By using event-based automations, Snowflake reduced its mean time to detect and MTTR for network security boundary violations from hours to seconds. More specifically, the automated self-healing in near real time led to a 5-second MTTR.
By increasing the SCP coverage by 30 percent across its AWS Organizations resources, Snowflake provides deeper preventive protection for shared services. The alignment with the AWS SRA guidance also simplifies the company’s M&A strategy, facilitating the rapid governance of acquired accounts without disrupting workload operations.
The new foundation sustains Snowflake’s growth without adding complexity. Clear account ownership improved team autonomy, while consistent guardrails reduced operational friction. “This gives us a foundation we can keep building on,” says Williams. “We can support our continued growth on AWS while maintaining consistent governance as the enterprise environment evolves.”
This gives us a foundation we can keep building on. We can support our continued growth on AWS while maintaining consistent governance as the enterprise environment evolves.
Brad Williams
Cloud Security Engineer, Snowflake Inc.AWS Services Used
Did you find what you were looking for today?
Let us know so we can improve the quality of the content on our pages